830. BREACH OF COMPUTERIZED PERSONAL INFORMATION
With the increased reliance upon electronic data, and the maintenance of personal information of students and employees in electronic format, the Board is concerned about the risk of a breach in the District’s electronic system security and the possible disclosure of personal information. This policy addresses the manner in which the District will respond to unauthorized access and acquisition of computerized data that compromises the security and confidentiality of personal information.
Sec. 2301 et seq
The Board directs that District administrators shall provide appropriate notification of any computerized system security breach to any state resident whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed or acquired by unauthorized persons.
Breach of the system’s security - unauthorized access and acquisition of computerized data that materially compromises the security or confidentiality of personal information maintained by the District as part of the database of personal information regarding multiple individuals and that the District reasonably believes has caused or will cause loss or injury to any state resident. Good faith acquisition of personal information by an employee or agent of the School District for the purpose of the District is not a breach of the security of the system if the personal information is not used for a purpose other than the lawful purpose of the District and is not subject to further unauthorized disclosure.
Individual - means any natural person, not an entity or company.
Personal information - includes an individual’s first initial and last name in combination with and linked to any one or more of the following, when not encrypted or redacted:
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state or local government records.
Records - means any material, regardless of its physical form, on which information is recorded or preserved by any means, including written or spoken words, graphically depicted, printed or electromagnetically transmitted. This term does not include publicly available directories containing information that an individual has voluntarily consented to have publicly disseminated or listed, such as name, address or telephone number.
4. Delegation of Responsibility
The Superintendent or designee shall ensure that the District provides notice of any system security breach, following discovery, to any state resident whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person. Such notice shall be made without a reasonable delay, except when a law enforcement agency determines and advises the District in writing that the notification would impede a criminal or civil investigation, or the District must take necessary measures to determine the scope of the breach and to restore the reasonable integrity of the data system. The District will also provide notice of the breach if the encrypted information is accessed and acquired in an unencrypted form, if the security breach is linked to a breach of security of the encryption, or if the security breach involves a person with access to the encryption key.
Sec. 2302, 2303
The District shall provide notice by at least one (1) of the following methods:
If the District provides notification to more than 1,000 persons at one (1) time, the District shall also notify all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the timing, distribution and number of notices, without unreasonable delay.
Breach of Personal Information Notification Act – 73 P.S. Sec. 2301 et seq.
Fair Credit Reporting Act – 15 U.S.C. Sec. 1681a
Board Policy – 801